Password protection is one of the most common security protocols available. By creating a unique password, you are both proving your identity and keeping your personal information safer. However, when every account you have requires a separate password, it can be an overwhelming task. While you should be concerned about the safety of your data, you also want to avoid the frustration of forgetting your password and being blocked from the information you need. However, the benefits of using strong, unique passwords outweigh the occasional inconvenience.

Benefits of Strong Passwords

The main benefit of a strong password is security. Hackers work quickly when they are trying to access accounts. They want to steal as much information as they can in as short a time as possible. This makes an account with a strong password less inviting because cracking the code is much more involved.

A strong password also limits the damage that hackers can do to your personal accounts. A common strategy involves cracking the passwords of less secure sites with limited personal information. The hackers hope that they can use the password from your gym membership app to access information in your online banking account. Strong password protection prevents this situation.

Common Poor Password Practices

When someone is registering an online account, it can be tempting to blaze through the password process. In order to move quickly, there are several poor password practices that people employ.

Simple passwords: Password-cracking programs start by entering obvious combinations. These are passwords where the user puts no thought into the code such as “password” or “1234567”.
Repeated passwords: You may think you have such an unbreakable password that you want to use it for all of your accounts. However, this means that if hackers compromise one of your accounts, all of your other accounts are vulnerable.
Personal information: The number combinations that you are apt to remember easily are the ones that hackers can find. You may have put your birthday or graduation year on public display in a social media account. Your dog’s name may be unusual, but if you share information about your canine friend with the world, its name is a weak password.

The Meaning of a Strong Password

A password is considered strong when it is difficult for a hacker to crack it quickly. Sophisticated algorithms can run through many password combinations in a short time. A password that is long, complex and unique will discourage attempts to break into your accounts.

Long: The combinations that protect your accounts should be long enough that it would be difficult for a computer program to run through all the possible configurations. The four-digit pin on a bank card has 10,000 possible combinations. This might take some time for a human being to crack, but a computer program with unlimited tries could break it in a few seconds. If you were only using numbers, every character in your password would raise the possible combinations by a power of 10. To stump the algorithms, you want a password that is a minimum of 12 characters long.
Complex: To increase the challenge of your password, it should have a combination of uppercase letters, lowercase letters, symbols and numbers. Hacking algorithms look for word and number patterns. By mixing the types of characters, you will break the pattern and keep your information safe.
Unique: If you have been reusing your passwords, it is time for you to start the work of changing them. Every one of your accounts should have its own password. At the very least, make certain that you have not reused passwords for your financial institutions, social media accounts and any work-related accounts.

Creating a Layered Password

If you want a password that is memorable but strong, you can easily turn a phrase into a layered, complex password. In this process, it is important to note that you should not use personal information that is available online as part of your phrase.

Pick a phrase that is memorable for you: It should not be a phrase you commonly use on social media accounts. If you are an avid runner you might choose a phrase like, “Running 26.2 Rocks!”
Replace letters with numbers and symbols: Remove the spaces. Then, you can put symbols and numbers in the place of some of the letters. Runn1ng26.2R0ck$!
Include a mix of letter cases: Finally, you want both lower and uppercase letters that are not in a clear pattern. Algorithms know how to look for common patterns like camelCase or PascalCase. Runn1NG26.2R0cK$!

Now, you have a password that you can remember while challenging the algorithms hackers use.

Employing a Password Manager

When you consider the number of accounts you need to protect, coming up with a properly layered password is a time-consuming task. Even if you are able to decide on a memorable phrase, there are just too many accounts that need passwords. A password manager is a helpful tool to keep you safe while you are online. It acts as a database for all of your passwords. Each time you create a new code, it stores it so that you can automatically enter it later. You only need to remember a single password to access the tools of your manager.

Most managers can also do the work of creating complex, layered passwords for your accounts. These will be a string of random numbers, letters and characters. They will not be memorable, but you are relying on the manager to do the memorizing. These machine-generated passwords are especially helpful for accounts you rarely access or that do not hold significant information.

Maintaining an Offline Password List

For critical accounts like your bank account or a work-related account, it can be helpful to keep an offline list of your passwords. Complex passwords are meant to be difficult to remember. You may recall the phrase but not all the detailed changes that make it layered. Keeping a document on a zip drive or even in a physical paper file or journal will allow you to access your information if your hardware fails or you are switching to a new system.

Keeping the Whole System Safe

Cracking passwords is just one of the strategies hackers use to steal information. In addition to using strong passwords, it is important to employ comprehensive security software. Strong passwords will help protect your online accounts. Strong overall security will keep your hardware and network safe from danger.

The post Strong Password Ideas to Keep Your Information Safe appeared first on McAfee Blog.

Read More

Owners of QNAP NAS drives have been advised to “take immediate action” in the wake of a new wave of DeadBolt ransomware attacks.

Read More

Having a full, continuously updated and detailed understanding of all IT assets is one of the holy grails for security teams. To achieve it, we must first understand what “visibility” truly entails, how it’s more than just identifying what’s out there and knowing which challenges must be addressed.

If we looked at the starting point of any Information Security framework or best practice over the last 20 or so years, we’d find the initial phase to be “discovery” or “identify” or “understand” or some variation thereof. Collectively, what they’re all saying is that we can’t protect what we don’t know we have. Or more pointedly, we can’t start to make good decisions about how and where to protect our environments if we don’t know what we have. Having broad visibility into what assets are part of our overall infrastructure is the key, fundamental piece of any successful security program.

Despite this being widely accepted and acknowledged, most security practitioners will tell you that getting to that state of complete visibility is still painfully difficult. Security teams implement a wide array of tools, spend a great deal of time integrating data sets from asset management systems and other potential sources of truth, and yet, few will say they feel confident that they truly understand their environment. Why is that? For the most part, it boils down to two key considerations that aren’t being addressed when organizations try to understand their environments:

Are you actually looking for and identifying all of your assets, or just the ones you think you know about?
Do you understand the context of assets as it pertains to security findings, risk and impact to your organization?

First and foremost, reaching total visibility means identifying and assessing all of the technical assets in your environment, and not just the “easy” ones that are familiar to most IT and security teams. While starting with servers, workstations, network infrastructure equipment and other traditional IT devices is an excellent practice, it’s an all too common situation that other assets are overlooked or completely missed. What else is there? Ask yourself if your team is identifying the following assets:

Databases
Web applications
OT / ICS / SCADA / Industrial IoT devices
Cloud infrastructure
Virtualization platforms
Containers
Cloud orchestration services
Infrastructure as Code (IaC) configurations
Active Directory / Credentials / Groups
Public-facing hosts / hostnames / records

The list can go on. While it may be viewed as being too difficult to identify these kinds of assets, they are still critically important to most businesses, are at risk from cyberattacks, and if compromised, will impact the financial and reputational well-being of the organization. If security teams are to take a meaningful first step toward better visibility and having a more complete understanding of our environment, then we have to get our arms around all of these assets as well as the more traditional ones we’re all familiar with. 

It’s for this very reason that Tenable has continuously broadened the tools available on our platform to be able to safely and properly identify assets like these and pull that data back to a single place. Identifying vulnerabilities and other security risks starts with being able to identify and understand the target. With that level of visibility, organizations are better positioned to understand where the greatest risks are within their environment and start taking the necessary steps to mitigate risk where it matters most.

Now, some organizations may have progressed to the point where they’ve become really good at gathering asset inventory data and have a good understanding of what their environment looks like. But, this is yet another place where it starts to fall apart. Having a lot of disparate data, usually spread out between several different repositories, means that security teams have to do a lot of transformation to not only get the information together into one place for better analysis, but they also need to figure out ways to normalize the information they’ve collected. After all, not every asset has an IP address or a host name. Code repositories won’t have the same identifiers as a container instance. Web applications might be identified by domain name or URL, but an industrial Programmable Logic Controller (PLC) may not even be attached to a known network. 

And it’s not just the base asset identifiers that are varied and complicated. Any type of vulnerability or security finding is going to be just as different and disparate, depending on the asset itself. A server may have an easily identifiable vulnerability that has an assigned CVE number, but an IaC misconfiguration won’t have any standard identifier at all. Web application vulnerabilities like SQL Injection and Cross-Site Scripting are more techniques than specific, consistently identifiable OS vulnerabilities. And in the world of Active Directory, underlying security problems stem from compromises to how AD functions and validates credentials across an entire enterprise, which are not things that are fixed by applying a missing patch. 

If your security team has been tasked with trying to understand the risks within the environment and make the decisions about where and what to mitigate first, where would you even begin when you’re not looking at things in an “apples-to-apples” sort of way? In reality, this type of disparate data isn’t even “apples-to-oranges”, and in fact, is much more like “apples-to-starships-to-penguins-to-adjectives”. Understanding the context behind assets and their security findings is key. We first must pull together all this information and normalize it in a way where there is a consistent and measurable way to understand the risk posed to the business by each of these findings. Then we can start to relate the various risk factors against each other and make the best decision we can about where the organization is most at risk, how much risk it presents, and what we need to do to mitigate it. Gathering data is difficult enough as it is, but even if you manage that part, you won’t get far if you can’t focus on what’s truly important. You’ll be left with a lot of spreadsheets and databases to manage while still asking the same questions about where to begin.

Want more guidance about your security strategy? Check out Tenable’s 2021 Threat Landscape Retrospective, which provides a comprehensive analysis of last year’s threat landscape that security professionals can use to improve their security right now.

Read More

This blog was written by an independent guest blogger.

According to research by Statista, over 80% of internet users in the US fear that their personal information is vulnerable to hackers. Data privacy defines how organizations and other entities collect data on other individuals, how they process it, for what purposes they collect and process it, how long they keep it, and how they protect it, to name a few.

In the modern digital environment, data privacy certifications are essential since they impart the skills needed to become privacy specialists. Decision-making, employee training, determining business constraints, managing risk assessment, and streamlining a company’s privacy program are all part of the job of privacy experts.

Organizations increasingly rely on privacy professionals to provide a strategic framework that can adapt to the changing technological landscape, market demands, and constantly changing legislative framework.

Since privacy is a serious concern amongst organizations across the globe due to the growing number of data privacy obligations. These privacy laws have been enacted to protect the rights and freedom of data owners.

How privacy certifications can advance your career

Here, having a data privacy certification enables organizations to demonstrate how well they implement best practices as recommended by privacy laws to uphold the privacy and security of their users’ data. Furthermore, these certifications enable organizations to validate privacy by design and privacy by default when integrating new technologies and processes into their operations. They are making an effort to ensure that their personnel are on the same page as well.

For a long time, certifications have been used to demonstrate an individual’s excellence, expertise, and knowledge in a specific domain. In fact, certifications can make a reasonable differentiation between a person with a certification and a person without one. Certifications have also been seen to help individuals get promoted and even get a significant raise.

When it comes to data privacy certification, these certifications are beneficial for those who are associated with implementing privacy technologies, strategizing privacy frameworks, or consulting the legal matters when it comes to protecting the data privacy of their users or customers. Privacy-specific certifications enable privacy enthusiasts, privacy professionals, and aspiring individuals to get a grip on the changing privacy laws across the globe, the complex modern privacy framework, or privacy considerations in the data lifecycle.

Top data privacy certifications for 2022

There are different types of privacy certifications available. Some certifications are designed to help beginners or aspiring privacy professionals, while other certifications are designed to help professional practitioners implement technical controls around privacy frameworks, assist with legal issues, build policies and procedures, etc.

Therefore, it is imperative that you first decide how a particular certification will enable you to perform your job better and become “a cut above the rest”. Let’s take a look at some of the best privacy certifications, designed by some of the renowned privacy professionals and organizations in the industry.

IAPP Certified Information Privacy Manager (CIPM) certification

The certified information privacy manager (CIPM) certification is designed by one of the renowned names in the data privacy and protection community, the International Association of Privacy Professionals (IAPP). The CIPM certification enables privacy professionals to understand how privacy obligations work for any organization, how the obligations can be implemented, how teams are structured, and how systems are developed around a robust privacy framework.

The CIPM certification is a 2.5-hour long exam, containing 90 questions. The certification exam costs approximately $550, and $375 if it is retaken. Amongst the many reasons why you might want to enroll in CIPM certification includes the following:

It is an industry-standard privacy management program.
It helps individuals manage and develop privacy management programs across the data lifecycle.
It elevates an individual’s leadership profile in data privacy.

To learn more about this course, please click here.

Securiti PrivacyOps certification

Another prominent certification in the data privacy community includes the PrivacyOps certification by Securiti. The PrivacyOps certification discusses the differences between traditional privacy framework vs the modern privacy framework, and how the latter enables organizations to streamline their privacy operations by powering their privacy framework with Artificial Intelligence (AI) and Machine Learning (ML) technologies.

The course outline includes an introduction to the modern privacy framework, global privacy laws, such as GDPR, LGPD, PIPL, CPRA, or PDPL, data mapping and data subject requests automation, consent lifecycle management, vendor assessment, privacy notice management, breach notification automation, and more.

The PrivacyOps certification is completely free. It includes 11 modules, with 9 quizzes, and then the main certification exam. By completing this certification, you also get to earn 4 IAPP CPE credits for free.

To learn more about this course, please click here.

ISACA Certified Data Privacy Solutions Engineer (CDPSE) certification

Developed by Information Systems Audit and Control Association (ISACA), the CDPSE is a technical certification that enables individuals to understand how they enable privacy by design and privacy by default in any organization. The certification is ideal for people who are performing IT job roles like data scientists, data analysts, privacy advisors, and privacy solution architects, to name a few. It intends to educate technologists in privacy by design integration so that they may confidently and thoroughly apply it to all aspects of their work, including the creation of new technologies, products, or procedures.

The Certified Data Privacy Solutions Engineer program also teaches professionals to maintain compliance cost-effectively and to consider data privacy when engaging with other professionals. The three CDPSE work-related domains are covered in the exam in the following ratios:

Privacy governance: 34%
Privacy architecture: 36%
Data lifecycle: 30%

The exam price is $575 for ISACA members and $760 for non-members. After passing the exam, you must formally apply for CDPSE certification. This application costs $50.

To learn more about this course, please click here.

IAPP Certified Information Privacy Professional (CIPP) certification

This certification program, which emphasizes the implementation of data privacy rules and regulations, is provided by the International Association of Privacy Professionals (IAPP).

Anyone working in or looking for a position in legal compliance, information management, data governance, or human resources is encouraged to get this certification. The CIPP program also offers four concentrations, each pertinent to a particular worldwide region, because compliance rules differ depending on where you are. The following are just a few of the numerous reasons you might wish to sign up for CIPM certification:

Models for territorial regulations, standards, and enforcement.
Basic privacy notions and principles.
Laws governing the handling and transfer of data.

The CIPP certification exam costs approximately $550 and $375 if it is retaken. If you currently hold one or more IAPP certificates and are considering obtaining additional, you can take any upcoming exams for $375, saving you $175.

To learn more about this course, please click here.

Conclusion

Certifications can help individuals not only with getting a good raise but also allow them to better help organizations implement privacy standards and practices.

Read More

Retailer sent half a million emails to people without their consent

Read More

Portuguese and US authorities seize website and domains

Read More

Dave Stirling, CISO of Zions Bancorporation, isn’t waiting for a shakeup in the talent pool or some big shift in the job market to solve the cybersecurity skills gap. Instead, he’s making his own luck. How? By changing up his own staffing strategy, “by trying different things and seeing what sticks.”

That approach has Stirling recruiting candidates from the bank’s IT and operations staff, working with local colleges, investing more in training and rethinking how he posts open jobs. He acknowledges that such moves, even when taken all together, aren’t a silver bullet to the well-publicized challenges in finding, hiring and keeping staff. However, he says they’re making incremental improvements in his ability to recruit and retain hard-to-find cybersecurity talent.

To read this article in full, please click here

Read More